Removing setuid binaries from the system

Hey there!

Secureblue is a project we should keep an eye on. They do quite some things that make total sense, in some others they may break things.

They removed a lot of setuid binaries:

They also remove:

  • su
  • sudo
  • pkexec
  • chsh

Personal experience

I personally have encountered edge cases when using rsync with run0 instead of sudo.

But apart from that, I now use run0 exclusively. My main account has no wheel anymore, and I have a second sysadm_u user in the wheel group. Works perfectly with run0, for example

  • KDE partition manager
  • kio-admin in Dolphin
  • Kate Editor

Impact

pkexec should be replaceable with run0 as it works exactly the same afaik. sudo has a cooldown timer and configs, which is pretty different.

Afaik su and chsh provide features, can their features be replaced?